From 1eba793dd375aa51097563e626f80b4634aee5ca Mon Sep 17 00:00:00 2001 From: Conrad Grobler Date: Fri, 9 Feb 2024 11:05:21 +0000 Subject: [PATCH] Address review comments --- oak_attestation_verification/src/verifier.rs | 73 ++++++++++-------- ...idence.binarypb => fake_evidence.binarypb} | Bin ...ence.textproto => fake_evidence.textproto} | 6 +- .../tests/verifier_tests.rs | 34 ++++---- proto/attestation/evidence.proto | 2 +- proto/attestation/reference_value.proto | 18 ++--- proto/attestation/verification.proto | 8 +- 7 files changed, 73 insertions(+), 68 deletions(-) rename oak_attestation_verification/testdata/{mock_evidence.binarypb => fake_evidence.binarypb} (100%) rename oak_attestation_verification/testdata/{mock_evidence.textproto => fake_evidence.textproto} (98%) diff --git a/oak_attestation_verification/src/verifier.rs b/oak_attestation_verification/src/verifier.rs index 1b7252ac9c3..8f69200b525 100644 --- a/oak_attestation_verification/src/verifier.rs +++ b/oak_attestation_verification/src/verifier.rs @@ -33,13 +33,13 @@ use oak_proto_rust::oak::{ attestation::v1::{ attestation_results::Status, binary_reference_value, endorsements, extracted_evidence::EvidenceValues, reference_values, root_layer_data::Report, - root_layer_reference_values, AmdAttestationReport, AmdSevReferenceValues, ApplicationKeys, - ApplicationLayerData, ApplicationLayerEndorsements, ApplicationLayerReferenceValues, - AttestationResults, BinaryReferenceValue, CbData, CbEndorsements, CbReferenceValues, - ContainerLayerData, ContainerLayerEndorsements, ContainerLayerReferenceValues, - Endorsements, Evidence, ExtractedEvidence, IntelTdxAttestationReport, - IntelTdxReferenceValues, KernelLayerData, KernelLayerEndorsements, - KernelLayerReferenceValues, MockAttestationReport, OakContainersData, + AmdAttestationReport, AmdSevReferenceValues, ApplicationKeys, ApplicationLayerData, + ApplicationLayerEndorsements, ApplicationLayerReferenceValues, AttestationResults, + BinaryReferenceValue, CbData, CbEndorsements, CbReferenceValues, ContainerLayerData, + ContainerLayerEndorsements, ContainerLayerReferenceValues, Endorsements, Evidence, + ExtractedEvidence, FakeAttestationReport, InsecureReferenceValues, + IntelTdxAttestationReport, IntelTdxReferenceValues, KernelLayerData, + KernelLayerEndorsements, KernelLayerReferenceValues, OakContainersData, OakContainersEndorsements, OakContainersReferenceValues, OakRestrictedKernelData, OakRestrictedKernelEndorsements, OakRestrictedKernelReferenceValues, ReferenceValues, RootLayerData, RootLayerEndorsements, RootLayerEvidence, RootLayerReferenceValues, @@ -143,7 +143,7 @@ pub fn verify( { Report::SevSnp(values) => values.report_data.as_ref(), Report::Tdx(values) => values.report_data.as_ref(), - Report::Mock(values) => values.report_data.as_ref(), + Report::Fake(values) => values.report_data.as_ref(), }; // The report data contains 64 bytes by default, but we only use the first 32 bytes at the // moment. @@ -405,6 +405,14 @@ fn verify_intel_tdx_attestation_report( anyhow::bail!("needs implementation") } +/// Verifies a fake attestation report. +fn verify_fake_attestation_report( + _attestation_report_values: &FakeAttestationReport, + _reference_values: &InsecureReferenceValues, +) -> anyhow::Result<()> { + Ok(()) +} + /// Verifies the signature chain for the attestation report included in the root. fn verify_root_attestation_signature( _now_utc_millis: i64, @@ -444,29 +452,28 @@ fn verify_root_layer( _endorsements: Option<&RootLayerEndorsements>, reference_values: &RootLayerReferenceValues, ) -> anyhow::Result<()> { - if let Some(root_layer_reference_values::Type::Skip(_)) = reference_values.r#type { - return Ok(()); - } match values.report.as_ref() { - Some(Report::SevSnp(report_values)) => { - if let Some(root_layer_reference_values::Type::AmdSev(reference)) = - reference_values.r#type.as_ref() - { - verify_amd_sev_attestation_report(report_values, reference) - } else { - anyhow::bail!("AMD SEV-SNP reference values not found"); - } - } - Some(Report::Tdx(report_values)) => { - if let Some(root_layer_reference_values::Type::IntelTdx(reference)) = - reference_values.r#type.as_ref() - { - verify_intel_tdx_attestation_report(report_values, reference) - } else { - anyhow::bail!("Intel TDX reference values not found"); - } - } - Some(Report::Mock(_report_values)) => Ok(()), + Some(Report::SevSnp(report_values)) => verify_amd_sev_attestation_report( + report_values, + reference_values + .amd_sev + .as_ref() + .context("AMD SEV-SNP reference values not found")?, + ), + Some(Report::Tdx(report_values)) => verify_intel_tdx_attestation_report( + report_values, + reference_values + .intel_tdx + .as_ref() + .context("Intel TDX reference values not found")?, + ), + Some(Report::Fake(report_values)) => verify_fake_attestation_report( + report_values, + reference_values + .insecure + .as_ref() + .context("insecure reference values not found")?, + ), None => Err(anyhow::anyhow!("no attestation report")), } } @@ -834,17 +841,17 @@ fn extract_root_values(root_layer: &RootLayerEvidence) -> anyhow::Result Err(anyhow::anyhow!("not supported")), TeePlatform::None => { - // We use an unsigned, mostly empty AMD SEV-SNP attestation report as a mock when not + // We use an unsigned, mostly empty AMD SEV-SNP attestation report as a fake when not // running in a TEE. let report = AttestationReport::ref_from(&root_layer.remote_attestation_report) - .context("invalid mock attestation report")?; + .context("invalid fake attestation report")?; report.validate().map_err(|msg| anyhow::anyhow!(msg))?; let report_data = report.data.report_data.as_ref().to_vec(); Ok(RootLayerData { - report: Some(Report::Mock(MockAttestationReport { report_data })), + report: Some(Report::Fake(FakeAttestationReport { report_data })), }) } } diff --git a/oak_attestation_verification/testdata/mock_evidence.binarypb b/oak_attestation_verification/testdata/fake_evidence.binarypb similarity index 100% rename from oak_attestation_verification/testdata/mock_evidence.binarypb rename to oak_attestation_verification/testdata/fake_evidence.binarypb diff --git a/oak_attestation_verification/testdata/mock_evidence.textproto b/oak_attestation_verification/testdata/fake_evidence.textproto similarity index 98% rename from oak_attestation_verification/testdata/mock_evidence.textproto rename to oak_attestation_verification/testdata/fake_evidence.textproto index 0ffb560ca89..68ab6a63c3d 100644 --- a/oak_attestation_verification/testdata/mock_evidence.textproto +++ b/oak_attestation_verification/testdata/fake_evidence.textproto @@ -2,12 +2,10 @@ # proto-message: oak.attestaton.v1.Evidence # # Attestation evidence generated when not running on a TEE. -# Generated on 8 Feb 2024. `mock_evidence.binarypb` is the same instance in +# Generated on 9 Feb 2024. `fake_evidence.binarypb` is the same instance in # serialized binary format. -# -# The stage0 binary is measured in the attestation report. root_layer { - platform: NONE + platform: TEE_PLATFORM_NONE remote_attestation_report: "\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000l\025\313\320C\030T\201i\347\024\300\363\023\241\306\' \003\317f\341\231\"\330D\306D2\r\336\214\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000\000" eca_public_key: "\247\001\002\002T\355\215\321Z\334ux&\262\214\370*\232L\217\023\307\010.\007\0038.\004\201\002 \001!X \024\221\3475\317u\245\372\226\236uTX\307\323l\336\242y\206\305\357\r\244\036)(\036HZ\330\004\"X \023=\367r@\000\177\334\331<\014\034\345\336\006\223w\343\3125\335\263\243\201UFx\241\346n\030\036" } diff --git a/oak_attestation_verification/tests/verifier_tests.rs b/oak_attestation_verification/tests/verifier_tests.rs index ec515fce994..e3a19608dbd 100644 --- a/oak_attestation_verification/tests/verifier_tests.rs +++ b/oak_attestation_verification/tests/verifier_tests.rs @@ -21,13 +21,13 @@ use oak_attestation_verification::{ verifier::{to_attestation_results, verify}, }; use oak_proto_rust::oak::attestation::v1::{ - attestation_results::Status, binary_reference_value, reference_values, - root_layer_reference_values, AmdSevReferenceValues, BinaryReferenceValue, - ContainerLayerEndorsements, ContainerLayerReferenceValues, EndorsementReferenceValue, - Endorsements, Evidence, KernelLayerEndorsements, KernelLayerReferenceValues, - OakContainersEndorsements, OakContainersReferenceValues, ReferenceValues, - RootLayerEndorsements, RootLayerReferenceValues, SkipVerification, StringReferenceValue, - SystemLayerEndorsements, SystemLayerReferenceValues, TransparentReleaseEndorsement, + attestation_results::Status, binary_reference_value, reference_values, AmdSevReferenceValues, + BinaryReferenceValue, ContainerLayerEndorsements, ContainerLayerReferenceValues, + EndorsementReferenceValue, Endorsements, Evidence, InsecureReferenceValues, + KernelLayerEndorsements, KernelLayerReferenceValues, OakContainersEndorsements, + OakContainersReferenceValues, ReferenceValues, RootLayerEndorsements, RootLayerReferenceValues, + SkipVerification, StringReferenceValue, SystemLayerEndorsements, SystemLayerReferenceValues, + TransparentReleaseEndorsement, }; use prost::Message; @@ -38,7 +38,7 @@ const VCEK_MILAN_CERT_DER: &str = "testdata/vcek_milan.der"; const ENDORSER_PUBLIC_KEY_PATH: &str = "testdata/oak-development.pem"; const REKOR_PUBLIC_KEY_PATH: &str = "testdata/rekor_public_key.pem"; const EVIDENCE_PATH: &str = "testdata/evidence.binarypb"; -const MOCK_EVIDENCE_PATH: &str = "testdata/mock_evidence.binarypb"; +const FAKE_EVIDENCE_PATH: &str = "testdata/fake_evidence.binarypb"; // Pretend the tests run at this time: 1 Nov 2023, 9:00 UTC const NOW_UTC_MILLIS: i64 = 1698829200000; @@ -49,10 +49,10 @@ fn create_evidence() -> Evidence { Evidence::decode(serialized.as_slice()).expect("could not decode evidence") } -// Creates a valid mock evidence instance. -fn create_mock_evidence() -> Evidence { - let serialized = fs::read(MOCK_EVIDENCE_PATH).expect("could not read evidence"); - Evidence::decode(serialized.as_slice()).expect("could not decode evidence") +// Creates a valid fake evidence instance. +fn create_fake_evidence() -> Evidence { + let serialized = fs::read(FAKE_EVIDENCE_PATH).expect("could not read fake evidence"); + Evidence::decode(serialized.as_slice()).expect("could not decode fake evidence") } // Creates valid endorsements for an Oak Containers chain. @@ -136,7 +136,8 @@ fn create_reference_values() -> ReferenceValues { }; let root_layer = RootLayerReferenceValues { - r#type: Some(root_layer_reference_values::Type::AmdSev(amd_sev)), + amd_sev: Some(amd_sev), + ..Default::default() }; let kernel_layer = KernelLayerReferenceValues { kernel_image: Some(skip.clone()), @@ -181,14 +182,15 @@ fn verify_succeeds() { } #[test] -fn verify_mock_evidence() { - let evidence = create_mock_evidence(); +fn verify_fake_evidence() { + let evidence = create_fake_evidence(); let endorsements = create_endorsements(); let mut reference_values = create_reference_values(); if let Some(reference_values::Type::OakContainers(reference)) = reference_values.r#type.as_mut() { reference.root_layer = Some(RootLayerReferenceValues { - r#type: Some(root_layer_reference_values::Type::Skip(SkipVerification {})), + insecure: Some(InsecureReferenceValues {}), + ..Default::default() }); } else { panic!("invalid reference value type"); diff --git a/proto/attestation/evidence.proto b/proto/attestation/evidence.proto index e97571c5a30..cf5e88beaf4 100644 --- a/proto/attestation/evidence.proto +++ b/proto/attestation/evidence.proto @@ -37,7 +37,7 @@ enum TeePlatform { TEE_PLATFORM_UNSPECIFIED = 0; AMD_SEV_SNP = 1; INTEL_TDX = 2; - NONE = 3; + TEE_PLATFORM_NONE = 3; } // Evidence generated by the Layer0. diff --git a/proto/attestation/reference_value.proto b/proto/attestation/reference_value.proto index 03afc6e9640..a04eef33a78 100644 --- a/proto/attestation/reference_value.proto +++ b/proto/attestation/reference_value.proto @@ -70,13 +70,11 @@ message StringReferenceValue { } message RootLayerReferenceValues { - oneof type { - // Switches between AMD SEV-SNP and Intel TDX based on TeePlatform value. - // Verification is skipped when not running in a TEE. - AmdSevReferenceValues amd_sev = 1; - IntelTdxReferenceValues intel_tdx = 2; - SkipVerification skip = 3; - } + // Switches between AMD SEV-SNP and Intel TDX based on TeePlatform value. + // Verification is skipped when not running in a TEE. + AmdSevReferenceValues amd_sev = 1; + IntelTdxReferenceValues intel_tdx = 2; + InsecureReferenceValues insecure = 3; } message AmdSevReferenceValues { @@ -93,9 +91,9 @@ message AmdSevReferenceValues { BinaryReferenceValue stage0 = 4; } -message IntelTdxReferenceValues { - // TBD -} +message IntelTdxReferenceValues {} + +message InsecureReferenceValues {} // Verifies that the field contains at least one of the given digests. // No checks are performed if this is empty. A match in at least one diff --git a/proto/attestation/verification.proto b/proto/attestation/verification.proto index aae24645363..b3473b5d45e 100644 --- a/proto/attestation/verification.proto +++ b/proto/attestation/verification.proto @@ -74,8 +74,8 @@ message RootLayerData { AmdAttestationReport sev_snp = 1; // Values extracted from an Intel TDX attestation report. IntelTdxAttestationReport tdx = 2; - // Values extracted from a mock report when not running in a TEE. - MockAttestationReport mock = 3; + // Values extracted from a fake report when not running in a TEE. + FakeAttestationReport fake = 3; } } @@ -106,8 +106,8 @@ message IntelTdxAttestationReport { bytes report_data = 1; } -// Values extracted from a mock attestation report when not running in a TEE. -message MockAttestationReport { +// Values extracted from a fake attestation report when not running in a TEE. +message FakeAttestationReport { // The custom bytes that were passed to the report when it was requested. bytes report_data = 1; }